...
- Common identity management data model
- Extensible object types:
- User objects to represent users, physical persons and personas
- Role objects to represent roles, privileges, jobs and so on
- Org objects to represent organizational units, teams, workgroups, etc.
- Service objects to represent servers, network devices, mobile devices, network services, etc.
- Numerous built-in properties (a.k.a. core identity schema)
- Extensibility by custom properties
- Completely schema-aware system
- Dynamic schema automatically retrieved from resource
- Support for primitive data types
- Native support of multi-value attributes
- Limited support for complex data types
- Processing and computation fully based on relative changes
- Off-the-shelf support for user password credentials
- Off-the-shelf support for activation (users, roles, orgs, services)
- Enabled/disabled states (extensible in the future)
- Support for user validity time constraints (valid from, valid to)
- Object template to define policies, default values, etc.
- Ability to use conditional mappings (e.g. to create RB-RBAC setup)
- Ability to include other object templates
- Global and resource-specific template setup
- Representation of all configuration and data objects in XML, JSON and YAML
- Annotation support (such as "experimental" and "deprecated" annotation to control data model evolution)
- Customizable PolyString normalization
- Extensible object types:
- Identity management
- Enabling and disabling accounts
- Support for mapping and expressions to determine account attributes
- Multi-layer attribute access limitations
- Provisioning dependencies
- Higher-order dependencies (enables partial support for circular provisioning dependencies)
- Provisioning robustness - ability to provision to non-accessible (offline) resources
- Provisioning consistency - ability to handle provisioning errors and compensate for inconsistencies
- Provisioning Propagation
- Support for tolerant attributes
- Ability to select tolerant and non-tolerant values using a pattern (regexp)
- Support for volatile attributes (attributes changed by the resource)
- Matching Rules
- Matching rules to support case insensitive attributes, DN and UUID attributes, XML attributes, etc. (extensible)
- Automatic matching rule discovery
- Provisioning scripts
- Ability to execute scripts before/after provisioning operations
- Ad-hoc provisioning script execution
- Import from file and resource
- Advanced support for account activation (enabled/disabled states)
- Standardized account activation that matches user activation schema for easy integration
- Ability to simulate activation capability if the connector does not provide it
- Support for account lock-out
- Support for account validity time constrains (valid from, valid to)
- Support easy activation existence mappings (e.g. easy configuration of "disables instead of delete" feature)
- Support for mapping time constraints in activation mappings that allow configuring time-related provisioning features such as deferred account delete or pre-provisioning.
- Ability to specify set of protected accounts that will not be affected by IDM system
- Support for base context searches for connectors that support object hierarchies (such as LDAP)
- Notifications
- Bulk actions
- Passive Attribute Caching (EXPERIMENTAL)
- Partial multi-tenancy support
- Synchronization
- Live synchronization
- Reconciliation
- Ability to execute scripts before/after reconciliation
- Correlation and confirmation expressions
- Conditional correlation expressions
- Concept of channel that can be used to adjust synchronization behavior in some situations
- Generic Synchronization allows synchronization of roles to groups to organizational units to ... anything
- Self-healing consistency mechanism
- Advanced RBAC
- Expressions in the roles
- Hierarchical roles
- Conditional roles and assignments/inducements
- Parametric roles (including ability to assign the same role several times with different parameters)
- Note: role parameters are only partially supported in midPoint user inteface interface (hardcoded parameters only)
- Temporal constraints (validity dates: valid from, valid to)
- Metaroles
- Role catalog
- Role request based on shopping cart paradigm
- Several assignment enforcement modes
- Ability to specify global or resource-specific enforcement mode
- Ability to "legalize" assignment that violates the enforcement mode
- Rule-based RBAC (RB-RBAC) ability by using conditional mappings in user template and role autoassignment
- Entitlements and entitlement associations
- GUI support for entitlement listing, membership and editing
- Entitlement approval
- User-friendly entitlement association management
- Organizational and Identity governance
- Powerful organizational structure management
- Approvals
- Declarative policy-based multi-level approval process
- Visualization of approval process
- Access certification campaigns
- Ad-hoc recertificaiton
recertificaiton
- Ad-hoc recertificaiton
- Escalation in approval and certification processes
- Object history (time machine)
- Rich assignment meta-data
- User-friendly policy selection
- Deputy (ad-hoc privilege delegation)
- Object lifecycle property
property
- Policy Rules as a unified mechanism to define identity management, governance and compliance policies
- Policy-based approvals driven by policy rules
- Policy rules based on modification of objects, change in assignments and many other conditions
conditions
- Policy rules can set policy situation that can be used for basic compliance reports
reports
- Segregation of Duties (SoD)
- Many options to define role exclusions
- SoD approvals
approvals
- SoD certification
certification
- Many options to define role exclusions
- Assignment constraints for roles and organizational structure
structure
- Basic role lifecycle management (role approvals)
- Personas
- Expressions, mappings and other dynamic features
- Sequences for reliable allocation of unique identifiers
- Customization expressions
- Groovy
- Python
- JavaScript (ECMAScript)
- Built-in libraries with a convenient set of functions
- PolyString support allows automatic conversion of strings in national alphabets
- Mechanism to iteratively determine unique usernames and other identifier
- Function libraries
- Web-based administration user interface
- Ability to execute identity management operations on users and accounts
- User-centric views
- Account-centric views (browse and search accounts directly)
- Resource wizard
- Layout automatically adapts to screen size
- Note: intended for desktop only. Small mobile screens may not be supported.
- Easily customizable look & feel
- Built-in XML/JSON/YAML editor for identity and configuration objects
- Identity merge
- Support for custom static web content
- Self-service
- User profile page
- Password management page
- Role selection and request dialog
- Self-registration
- Email-based password reset
- Connectors
- Integration of ConnId identity connector framework
- Support for Evolveum Polygon connectors
- Support for ConnId connectors
- Support for OpenICF connectors (limited)
- Automatic generation and caching of resource schema from the connector
- Local connector discovery
- Support for connector hosts and remote connectors, identity connector and connectors host type
- Remote connector discovery
- Manual Resource and ITSM Integration
- Integration of ConnId identity connector framework
- Flexible identity repository implementations and SQL repository implementation
- Identity repository based on relational databases
- Keeping metadata for all objects (creation, modification, approvals)
- Automatic repository cleanup to keep the data store size sustainable
- Security
- Flexible Authentication
- Service authentication
- Fine-grained authorization model
- Authorization expressions
- Limited power of attorney implementation
- Organizational structure and RBAC integration
- Delegated administration
- Password management
- Password distribution
- Password policies
- Password retention policy
- Password metadata
- Self-service password management
- Password storage options (encryption, hashing)
- Mail-based initialization of passwords for new accounts
- CSRF protection
- Flexible Authentication
- Auditing
- Auditing to file (logging)
- Auditing to SQL table
- Interactive audit log viewer
- Extensibility
- Custom schema extensibility
- Scripting Hooks
- Lookup Tables
- Support for overlay projects and deep customization
- Support for programmatic custom GUI forms (Apache Wicket components)
- Basic support for declarative custom forms
- API accessible using a REST, web services (SOAP) and local JAVA calls
- Reporting
- Scheduled reports
- Lightweight reporting (CSV export) built into user interface
- Comprehensive reporting based on Jasper Reports
- Post report script
- Internals
- Operations
- Lightweight deployment structure with two deployment options:
- Stand-alone deployment
- Deployment to web container (WAR)
- Multi-node task manager component with HA support
- Comprehensive logging designed to aid troubleshooting
- Enterprise class scalability (hundreds of thousands of users)
- Lightweight deployment structure with two deployment options:
- Documentation
- Administration documentation publicly available in the wiki
- Architectural documentation publicly available in the wiki
- Schema documentation automatically generated from the definition (schemadoc)
marks features that are considered to be high-level identity governance features. These features are not included in Evolveum Limited product support.
Policy rules that are used to configure and execute approvals are included in the Limited product support. Any other use of policy rules is not included.
Following pages provide more information about the features:
...